This is certainly an interesting idea, but it would be extremely difficult to implement. At our shop, we have run SECTRACEs on different applications that we believe are using certificates and found out that some (like CICS) are loading certificates every time they start, regardless of if some service inside that application actually uses the certificate or not. So you would always see a "use" of the certificate when CICS starts, even if no process in CICS ever tries to read that certificate for something.